Best security solution is 3 layered protection

[spasserfan]

This post is about how you should protect you in general, though Comodo has the products to do this (When their anti virus/spyware solution is released soon) you can substitute any of their products with one of your own liking, but with the same feature.

I post this since some in this forum mistakenly advice to disable defense+ (HIPS, stands for Host Intrusion Prevention System) in Comodo Firewall Pro (at least they should say one should replace it with another HIPS, though this would use more systemressources).

The Future of Computer Security

People keep asking me:

Is AV dead? Is HIPS the ultimate solution? Are we going to need to have chips surgically implanted in our…"

Okay, let's not degenerate this in the first fifty words. I'd like to start with some facts about the state of software security for PCs.

1. The world does not protect itself against Zero Day attacks. The majority thinks it does, but reality begs to differ.

2. People buy AV products because they don't know any better. Ignorance is bliss, but not in security. Security checks have been bumped up since 9/11 – enough said.

3. People are lazy, myself leading that pack. We want things done, but we don't want to lift a finger. It's 2007, so we shouldn't have to!

Let me expand on these points.

1. The world does not protect itself against Zero Day attacks.

Our primary protection is the use of software products called AV (antivirus). These products essentially create a signature for the malware, which functions much like a mug shot does for a criminal, but only after the crime has been committed. In PCland, AV can never be used as protection against Zero Day attacks because the virus signature (a.k.a. the mug shot) has not been created yet; hence, no protection. In an ideal, if not idiotic, world, virii authors would be kind enough to submit their malware to AV vendors, wait for them to create signatures and update their AV users, and then release their malware to the public so that we could catch zero day attacks. We can expect that about as much as we can expect the criminal to go to the police and say "hey, I'm going to commit a crime", and the police to prevent the crime. My point: we just don't protect ourselves against Zero Day attacks.

2. People buy AV products because they don't know any better.

People buy a lot of AV, so it must be the best protection available, right? Wrong. This is not a good argument. People buy a lot of cigarettes, too. This is not to discredit AV; it does what it was designed to do, but it just isn't enough by itself. Fraudsters and their toys are a force to be reckoned with, and AV alone isn't up to the fight.

3. People are lazy.

Look around you: we built washing machines because we got tired of hauling our laundry and the washboard to the river and back. We built dishwashers so husbands wouldn't have to wash dishes (and spot on, I say!). From cars to nappies, humans demand easy-to-use, painless solutions that give us more time for ourselves and deliver the desired outcome with minimal effort. We want the same from our internet security. We can clap our hands and turn on a lamp, so we should be able to "plug and protect" our PCs just as easily.

The future, from my point of view.

Our houses have doors, burglar alarms and insurance. Well, most do, at least. If you don't have a door, a burglar can walk in and steal your PC; thus, the door prevents the burglar from entering.

But Melih, doors can be kicked in!

Yes, they can, so continuing to get stronger doors isn't much of a solution. This is why we should never rely on just one layer of security. The door to the house isn't enough, so we install a burglar alarm. If he can get in, at least we can detect him – prevention plus detection, two layers. Let's say he cuts your electric wires or manages to turn off the burglar alarm in another way (They make it look so easy on TV, don't they?). He walks away with not only your computer, but your priceless stamp collection, too. This is why we have insurance, to recover the value of stolen items. Thus, insurance is the cure, the third layer in our layered approach. Stacking up these layers, in order, to protect the PCs in our homes, we have:

1. A door for prevention

2. A burglar alarm for detection, and

3. Insurance for the cure.

I thought you were going to tell us how to secure our PCs, not our homes, Melih!

I just did. The layered approach can be just as easily applied to our PCs. We use AV as our main source of defense, but is AV prevention? No, it's detection, the veritable burglar alarm for a PC, but it must have the malware signature – the burglar's mug shot – or it won't sound the alarm. A new burglar, however, has a free pass, and no alarm goes off. This, my friends, is the infamous Zero Day attack, which our AV allows to happen. Now relax, AV devotees. I'm not saying AV is crap; I'm just pointing out its weaknesses, so calm down. With AV, our PC "house" has a burglar alarm but no door. Ridiculous, right? But that's how it is! Some of us employ Firewalls too, but that's also a form of detection, with a little prevention thrown in, if it's a decent Firewall that doesn't leak. If a firewall does leak, it lets the burglar (malware) take something out of the house or, in firewallspeak, make a call to the Internet with your sensitive information. A good firewall sounds an alarm in the form of a popup when this happens, and a really good firewall gives you advice on what to do next. You need both the AV and the firewall to detect someone coming in and things going out. So now our PC house has a decent burglar alarm (detection), but no door. Yikes!

Dude, where's my door?

This is where we are challenged and need to change the model altogether. We are backwards when it comes to our default settings, but we can overcome this. Today, it's fair to say that PCs are running with the "default: allow" function, which means they are allowing everything to run and hoping to catch the bad stuff before it executes. It's more of a swinging gate than a door, and can't really provide the prevention we seek.

So we should run with the "deny all" function and only allow the good stuff, right?

Bingo. With the "default: allow" in place, we operate on a system of "blacklisting", blocking only the things that we know ahead of time are destructive. By reversing that and only granting entry to those names on the "whitelist", we save ourselves the hassle of trying to figure out who's good and who's bad. If you aren't on the list, you're not coming in, period. Thus, we have a door, it's solid, and it's locked.

But Melih, who wants to deal with all the popups asking us if we trust 'this or that'?

Frankly, no one, but why are we making the assumption that the whitelist database will be limited? It is feasible to create a very cogent whitelist security layer which will be virtually noise-free for the average user, and that is exactly what we are doing.

The days of going to bed without locking the front door are long past. PC security is, or should be, just as important as the security of our homes and personal belongings. We deserve to live our lives without the constant worry of burglary and vandalism, and only a layered approach will give us that peace of mind in regard to our computers.

Melih's prediction: prevention will become the first line of defense!

thank you

Melih

[KotaXor]

So true, don't surf is the safest! :think: so what combination is the best? beside the AIO ? Threatfire with Nod32 and Comodo Firewall?

[spasserfan]

So true, don't surf is the safest! :think: so what combination is the best? beside the AIO ? Threatfire with Nod32 and Comodo Firewall?

I use Comodo firewall pro with defense + (defense + is the first layer, the firewall is one half of the second layer) and NOD32 (The other half of the second layer). I guess you could add better antispyware to the second layer, however I have concluded after testing quite a few antispyware programs, that I do not need this.

I have never tried threatfire, but is an antivirus right? you should never run two antivirus programs at the same time (unless you disable on access in one of them, and only uses on demand).

I would also recommend using Comodo BOClean and memory firewall (though CMF is in beta I have never noticed any bugs with it). I used these before I reinstalled windows, and I am going to again, when I finish testing some tweaks :think:

If you know some other software with the same functionality please post them.

As for layer 3 (the cure), you could use a backup or disk imaging software. Comodo Backup is free, thoug I have not tested it, there is also norton ghost. I have done some manual backups, without using software for it, and therefore I cannot help you with this. But maybe somone else one this forum can.

By the way, what is AIO?

[KotaXor]

So true, don't surf is the safest! :think: so what combination is the best? beside the AIO ? Threatfire with Nod32 and Comodo Firewall?

I use Comodo firewall pro with defense + (defense + is the first layer, the firewall is one half of the second layer) and NOD32 (The other half of the second layer). I guess you could add better antispyware to the second layer, however I have concluded after testing quite a few antispyware programs, that I do not need this.

I have never tried threatfire, but is an antivirus right? you should never run two antivirus programs at the same time (unless you disable on access in one of them, and only uses on demand).

I would also recommend using Comodo BOClean and memory firewall (though CMF is in beta I have never noticed any bugs with it). I used these before I reinstalled windows, and I am going to again, when I finish testing some tweaks :think:

If you know some other software with the same functionality please post them.

As for layer 3 (the cure), you could use a backup or disk imaging software. Comodo Backup is free, thoug I have not tested it, there is also norton ghost. I have done some manual backups, without using software for it, and therefore I cannot help you with this. But maybe somone else one this forum can.

By the way, what is AIO?

;) AIO stands for All In One!

Threatfire is not really an anti-virus, it suppose to prevent Zero Day virus. No virus definition update required. Have not tried it yet though!

Do not like to have too many security layer in my PC, slow every thing down.

As for layer 3, I use Arconis True Image for backup! So far, have to activate it only once.

[spasserfan]

So true, don't surf is the safest! :think: so what combination is the best? beside the AIO ? Threatfire with Nod32 and Comodo Firewall?

I use Comodo firewall pro with defense + (defense + is the first layer, the firewall is one half of the second layer) and NOD32 (The other half of the second layer). I guess you could add better antispyware to the second layer, however I have concluded after testing quite a few antispyware programs, that I do not need this.

I have never tried threatfire, but is an antivirus right? you should never run two antivirus programs at the same time (unless you disable on access in one of them, and only uses on demand).

I would also recommend using Comodo BOClean and memory firewall (though CMF is in beta I have never noticed any bugs with it). I used these before I reinstalled windows, and I am going to again, when I finish testing some tweaks :think:

If you know some other software with the same functionality please post them.

As for layer 3 (the cure), you could use a backup or disk imaging software. Comodo Backup is free, thoug I have not tested it, there is also norton ghost. I have done some manual backups, without using software for it, and therefore I cannot help you with this. But maybe somone else one this forum can.

By the way, what is AIO?

:sneaky: AIO stands for All In One!

Threatfire is not really an anti-virus, it suppose to prevent Zero Day virus. No virus definition update required. Have not tried it yet though!

Do not like to have too many security layer in my PC, slow every thing down.

As for layer 3, I use Arconis True Image for backup! So far, have to activate it only once.

AIO :doh:

Threatfire sounds more like a HIPS to me then. Defense+ is also to PREVENT (the door ;) ) zero day attacks (yes attacks not only viruses!). As for the slow down your are totally right, it is therefor also best if you can get an AIO ( :angelnot: ) solution, since that would minimize resource usage because all is running in the same engine (or at least as much as possible, and definetely in one program). That is also why I am lokking forward to CIS (Comodo Internet Suite), which by the way is optional meaning you can choose excactly those features you want to install. Furthermore BOClean will be builtin to CAVS3 (Comodo anti malware) and CMF will be builtin to CFP (and they all to CIS ;) )

[Noddy]

Source

The above is written by Melih Abdulhayoglu, the President/CEO, Comodo

That's an excellent article by Melih - nice of you credit him. (It's not long before some Moron or the other turns up here at this thread and proclaims that's it's better to use your head instead of a firewall - as though when one uses a firewall, one's brain would start to leak . . . . . ;) ) Undoubtedly, firewalls have taken over as the first line of defence relegating AntiSpyware & AntiVirus utilities to the second & third lines (layers) of defence.

ps: Threatfire is a leading standalone HIPS with reasonably frequent upgrades.

[spasserfan]

Source

The above is written by Melih Abdulhayoglu, the President/CEO, Comodo

That's an excellent article by Melih - nice of you credit him. (It's not long before some Moron or the other turns up here at this thread and proclaims that's it's better to use your head instead of a firewall - as though when one uses a firewall, one's brain would start to leak . . . . . ;) ) Undoubtedly, firewalls have taken over as the first line of defence relegating AntiSpyware & AntiVirus utilities to the second & third lines (layers) of defence.

ps: Threatfire is a leading standalone HIPS with reasonably frequent upgrades.

I guessed that too. But I will not be using threatfire since the would eat up more resources then just using defense+ when I use CFP anyways ;)

The reason why I wrote "The above is written by Melih Abdulhayoglu, the President/CEO, Comodo", was actually just to tell who Melih is (as you can see I wrote his name in the quote, but I guess there might not be so many reading that spot, therefore I might just start crediting in the bottom anyways)

Furthermore the credit hopefully helps to making the post a lot more strustworthy ;)

[Noddy]

But I will not be using threatfire since the would eat up more resources then just using defense+ when I use CFP anyways :)

Righto, I have a mind to install Threatfire to be used as a standalone HIPS after disabling the Defense+ component in Comodo. Unfortunately this will have to wait for sometime as I'm a bit busy, nowadays - will love to check it out soon, though.

[spasserfan]

(...)

Righto, I have a mind to install Threatfire to be used as a standalone HIPS after disabling the Defense+ component in Comodo. Unfortunately this will have to wait for sometime as I'm a bit busy, nowadays - will love to check it out soon, though.

Having two programs running instead of one (with the functionality of the two) is using more system resources. Are there any particular reason why you have chosen to disable defense+? Or is it just because you want to test threatfire?

[spasserfan]

(...)

Undoubtedly, firewalls have taken over as the first line of defence relegating AntiSpyware & AntiVirus utilities to the second & third lines (layers) of defence.

(...)

Actually firewalls is also second line of defense (according to Melih in the above). What he means with first line of defense is a HIPS application (= defense+ in CFP, and I think it is called HIPS in CAVS3).

I wonder why COMODO has not yet released defense+ as a separate application :rolleyes:

[einstürzende]

Threatfire is not classical HIPS, it is some kind of "smart" behavior blocker + signature AV (V.3.5 is even adds itself to "Windows Security Center" as an AV).

I don't like it, it can fail at malware tagging if malware do not trigger combination of behavior which Threatfire recognize...

D+ as a full featured HIPS will warn you for every possible (known) API which can be used by malware.

I wonder why COMODO has not yet released defense+ as a separate application :rolleyes:

Yes, I would like that too, fortunately FW department of CFP is perfect

[Noddy]

Having two programs running instead of one (with the functionality of the two) is using more system resources.

Not if one of them is disabled.

Are there any particular reason why you have chosen to disable defense+?

I haven't - the Defense+ module of Comodo shall be disabled only after I install Threatfire.

Or is it just because you want to test threatfire?

I'll be testing Threatfire, soon - probably in the next 10 days (it'd be great if someone else could do it earlier and report back.)

Actually firewalls is also second line of defense (according to Melih in the above). What he means with first line of defense is a HIPS application (= defense+ in CFP, and I think it is called HIPS in CAVS3).

Technically speaking, he's right. However, HIPS utilities have failed to gain wide acceptance - I can see very few folks from our fraternity who've have opted for one (even Comodo themselves don't have a standalone HIPS.) I was referring to the prevailing situation where most of us use a firewall (some with an in-built HIPS) as compared to a standalone HIPS. I agree, though - a HIPS should be one's first line of defence instead of a firewall.

I wonder why COMODO has not yet released defense+ as a separate application :rolleyes:

. . . . . me too.

Threatfire is not classical HIPS, it is some kind of "smart" behavior blocker + signature AV (V.3.5 is even adds itself to "Windows Security Center" as an AV).

I don't like it, it can fail at malware tagging if malware do not trigger combination of behavior which Threatfire recognize...

D+ as a full featured HIPS will warn you for every possible (known) API which can be used by malware.

Nevertheless, since Threatfire is a standalone utility - I would like to check it out fully (only a full blooded test would reveal all the pros & cons.) The level of customization, granularity, additional features and many other parameters will become apparent only after pitching it comparatively against the current Comodo Suite.

[KotaXor]

Please let me know if Threatfire works hand in hand with EAV....it would be great if it does works together.

I would have tried it out myself if my kid won't be playing too much online games with this particular PC....hehehe

Testing something else on another PC and would not let Threatfire to mess up (if it happen).

[spasserfan]

Having two programs running instead of one (with the functionality of the two) is using more system resources.

Not if one of them is disabled.

You plan to disable CFP? I meant running the firewall in CFP and threatfire would use more resources than just running CFP with defense+, since you would use extra resources to run an extra application.

Actually firewalls is also second line of defense (according to Melih in the above). What he means with first line of defense is a HIPS application (= defense+ in CFP, and I think it is called HIPS in CAVS3).

Technically speaking, he's right. However, HIPS utilities have failed to gain wide acceptance - I can see very few folks from our fraternity who've have opted for one (even Comodo themselves don't have a standalone HIPS.) I was referring to the prevailing situation where most of us use a firewall (some with an in-built HIPS) as compared to a standalone HIPS. I agree, though - a HIPS should be one's first line of defence instead of a firewall.

I wonder why COMODO has not yet released defense+ as a separate application :eekout:

. . . . . me too.

I guess that because almost everyone at the COMODO forum is using CFP (after all that was what made COMODO famous, and at the moment it is best tested non beta app they have, at the moment they actually has few not in beta :rolleyes:, however all the betas is of high quality (if it had been other companies they might just have released them as final already and afterwards just released updates, but COMODO's high quality standard gives a better final product :D)... Back to my point :) Almost everyone at the forum uses CFP and therefore there is not damand for a seperate defense+ app at the moment (but I believe that it is coming in the future ;))

Threatfire is not classical HIPS, it is some kind of "smart" behavior blocker + signature AV (V.3.5 is even adds itself to "Windows Security Center" as an AV).

I don't like it, it can fail at malware tagging if malware do not trigger combination of behavior which Threatfire recognize...

D+ as a full featured HIPS will warn you for every possible (known) API which can be used by malware.

Nevertheless, since Threatfire is a standalone utility - I would like to check it out fully (only a full blooded test would reveal all the pros & cons.) The level of customization, granularity, additional features and many other parameters will become apparent only after pitching it comparatively against the current Comodo Suite.

Well you cannot compare with the current suite since CAVS3 is not released. If you compare with CFP and NOD32 you get firewall (in CFP not in threatfire), HIPS (both CFP (defense+) and TF), behavior analyser (advanced heuristics in NOD32 and defense+ in CFP, but also in TF) and AV (NOD32 and TF, however NOD32 got antimalware I do not know if TF can detect this). Can Threatfire detect rootkits like NOD32?

[Noddy]

Please let me know if Threatfire works hand in hand with EAV....it would be great if it does works together.

I would have tried it out myself if my kid won't be playing too much online games with this particular PC....hehehe

Testing something else on another PC and would not let Threatfire to mess up (if it happen).

Yes, it does work very well with ESET NOD32 EAV especially the version that you use (2.70.39.) I read about this in some other forum where a number of guys are running Threatfire hand in hand with NOD32 2.70.39 (V2 does combine with almost anything & everything. :rolleyes: )

[Noddy]

You plan to disable CFP? I meant running the firewall in CFP and threatfire would use more resources than just running CFP with defense+, since you would use extra resources to run an extra application.

Agreed that it would cost more resources, but it's the only option since Threatfire doesn't come with a firewall - I mean to disable Defense+ just to prevent incompatibilities & conflicts between these two HIPS. We're just trying to test out Threatfire here (without trying to deprive ourselves of a firewall)

Back to my point :rolleyes: Almost everyone at the forum uses CFP and therefore there is not damand for a seperate defense+ app at the moment (but I believe that it is coming in the future :) )

True, there's no pressing demand for a separate Defense+ (as you write here and even as I mentioned in post # 12 - not many seem to be using a standalone HIPS.) However, when it does get released we'll have wider and better options - also, our first discussion at this post would also get covered.

Well you cannot compare with the current suite since CAVS3 is not released. If you compare with CFP and NOD32 you get firewall (in CFP not in threatfire), HIPS (both CFP (defense+) and TF), behavior analyser (advanced heuristics in NOD32 and defense+ in CFP, but also in TF) and AV (NOD32 and TF, however NOD32 got antimalware I do not know if TF can detect this). Can Threatfire detect rootkits like NOD32?

Oh no!!!!!

It's not merely Threatfire v/s CFP or something else - one has to strategise much more holistically. Only after Threatfire is tested in one's routine environment, will one find all the answers to the above questions. At the moment I'm running NOD32 2.70.39, Webroot Spy Sweeper 5.5.7.124, MailWasher Pro 6.1 and Comodo Firewall Pro 3.0.25.378 in perfect rhythm with each other - all standalone Security Systems (except for CFP, which is a Suite.) Moreover, most of the mentioned vulnerabilities that Defense+ addresses are already addressed by my other Security Tools. Hence my priorities are about other enhancements like granularity, customization, CPU cycles, etc. etc. Guess some folks may have an altogether different Security System with priorities totally different from mine - we'll need to appreciate their choice of software, too.

All said, I look forward to CFP with a standalone option that excludes Defense+ (but I also strongly believe they should continue with the present Suite.)

[spasserfan]

All said, I look forward to CFP with a standalone option that excludes Defense+ (but I also strongly believe they should continue with the present Suite.)

It is here already, though you would have to reinstall CFP to have the firewall module as a stand alone option. When installing you just have to choose not to install defense+ but only the firewall

[Noddy]

Yeah, that's right - I'm well aware of it. Just happened to overlook it; although I've touched upon it in an earlier post below:-

http://www.nsaneforums.com/index.php?showtopic=10326&view=findpost&p=58710

Thanks anyways for the pointer. :)

[spasserfan]

Yeah, that's right - I'm well aware of it. Just happened to overlook it; although I've touched upon it in an earlier post, here - thanks anyways for the pointer

You are welcome... Always at your service :)

[KotaXor]

Please let me know if Threatfire works hand in hand with EAV....it would be great if it does works together.

I would have tried it out myself if my kid won't be playing too much online games with this particular PC....hehehe

Testing something else on another PC and would not let Threatfire to mess up (if it happen).

Yes, it does work very well with ESET NOD32 EAV especially the version that you use (2.70.39.) I read about this in some other forum where a number of guys are running Threatfire hand in hand with NOD32 2.70.39 (V2 does combine with almost anything & everything. :) )

What about EAV v3.xx.

Sad to say, I guess its a matter of time before Eset discontinue support for Nod32 2.7 as it is already not available for download in their website.

[Noddy]

Not really sure how well Threatfire works with NOD32 EAV V3 - the recent V3 releases have displayed better tolerance and compatibilities. However, since I've not yet tried out this combo - it'd be a good idea to check with some folks. It'd be a sad day when all support to V2 is stopped.

I dare say the ESS Suite may likely not jell well with Threatfire (for obvious reasons.)

[KotaXor]

Not really sure how well Threatfire works with NOD32 EAV V3 - the recent V3 releases have displayed better tolerance and compatibilities. However, since I've not yet tried out this combo - it'd be a good idea to check with some folks. It'd be a sad day when all support to V2 is stopped.

I dare say the ESS Suite may likely not jell well with Threatfire (for obvious reasons.)

Yeah, V3 seem to use more resources than V2, I notice that boot-up time and loading time is sightly slower in V3 than V2.

But if it is better than V2, than I guess it's bearable to have a sight delay.

[lal krishna]

For HIPS,I use Processguard since an year.Works very well with anything.